<p>A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system
that uses it.</p>
<p>Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).</p>
<p>If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the
organization.<br> It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems
involved falsely assume that the authenticated entity is who it claims to be.<br> The consequences can be catastrophic.</p>
<p>Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime
servers.<br> Thus, it is a breach of trust, as these individuals have the ability to impersonate others.</p>
<p>Secret management services are the most efficient tools to store credentials and protect the identities associated with them.<br> Cloud providers
and on-premise services can be used for this purpose.</p>
<p>If storing credentials in a secret data management service is not possible, follow these guidelines:</p>
<ul>
  <li> Do not store credentials in a file that an excessive number of people can access.
    <ul>
      <li> For example, not in code, not in a spreadsheet, not on a sticky note, and not on a shared drive. </li>
    </ul>  </li>
  <li> Use the production operating system to protect password access control.
    <ul>
      <li> For example, in a file whose permissions are restricted and protected with chmod and chown. </li>
    </ul>  </li>
</ul>
<h2>Noncompliant Code Example</h2>
<pre>
import org.h2.security.SHA256;

String inputString = "s3cr37";
byte[] key         = inputString.getBytes();

SHA256.getHMAC(key, message);  // Noncompliant
</pre>
<h2>Compliant Solution</h2>
<p>Using <a href="https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager">AWS Secrets Manager</a>:</p>
<pre>
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import org.h2.security.SHA256;

public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
  GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build();

  GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
  String secret                        = valueResponse.secretString();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}
</pre>
<p>Using <a href="https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli">Azure Key Vault Secret</a>:</p>
<pre>
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import org.h2.security.SHA256;

public static void doSomething(SecretClient secretClient, String secretName) {
  KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
  String secret = retrievedSecret.getValue();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://aws.amazon.com/fr/secrets-manager/">AWS</a> - Secret Manager </li>
  <li> <a href="https://azure.microsoft.com/fr-fr/services/key-vault/">Azure</a> - Key Vault </li>
  <li> <a href="https://cloud.google.com/secret-manager">GCP</a> - Secret Manager </li>
  <li> <a href="https://www.vaultproject.io/">Hashicorp Vault</a> - Secret Management </li>
  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
  Authentication Failures </li>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/798.html">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/259.html">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
</ul>

